-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
c30f89b
commit 8a9c95f
Showing
6 changed files
with
356 additions
and
338 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,25 +1,28 @@ | ||
| # Changelog | ||
|
|
||
| ## [0.0.1] 2022-11-07 | ||
| - Initial | ||
|
|
||
|
|
||
| ## [0.0.2] 2022-11-07 | ||
| - Fixed issue where ~/.ck-sso-cli/config.json file is not created before configuration | ||
| ## [0.1.0] 2022-11-07 | ||
| - Fixed issue where if .aws/ folder is non existent then the folder is created | ||
|
|
||
| ## [0.2.0] 2022-11-08 | ||
| - Added support for email id so that it is displayed in CloudTrail | ||
|
|
||
| ## [0.2.1] 2022-11-08 | ||
| - Minor bug fix | ||
|
|
||
| ## [1.0.0] 2022-11-08 | ||
| - Completed testing and ready for major release | ||
|
|
||
| ## [1.0.1] 2023-05-23 | ||
| - Bug fix: Could not find config.json when the user was not in their home directory | ||
|
|
||
| ## [1.0.1] 2023-05-23 | ||
| - Temporary Patch: Host multiple profiles at the same time | ||
| # Changelog | ||
|
|
||
| ## [0.0.1] 2022-11-07 | ||
| - Initial | ||
|
|
||
|
|
||
| ## [0.0.2] 2022-11-07 | ||
| - Fixed issue where ~/.ck-sso-cli/config.json file is not created before configuration | ||
| ## [0.1.0] 2022-11-07 | ||
| - Fixed issue where if .aws/ folder is non existent then the folder is created | ||
|
|
||
| ## [0.2.0] 2022-11-08 | ||
| - Added support for email id so that it is displayed in CloudTrail | ||
|
|
||
| ## [0.2.1] 2022-11-08 | ||
| - Minor bug fix | ||
|
|
||
| ## [1.0.0] 2022-11-08 | ||
| - Completed testing and ready for major release | ||
|
|
||
| ## [1.0.1] 2023-05-23 | ||
| - Bug fix: Could not find config.json when the user was not in their home directory | ||
|
|
||
| ## [1.0.1] 2023-05-23 | ||
| - Temporary Patch: Host multiple profiles at the same time | ||
|
|
||
| ## [2.0.0] 2024-02-28 | ||
| - Feature: Added support for Windows |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,96 +1,96 @@ | ||
| # CK-SSO-CLI - Retrieve AWS Credentials when Using External AWS Accounts in IAM Identity Center | ||
| Authenticates a user against AWS IAM Identity Center (SSO) and then retrieves the credentials to update the ~/.aws/credentials file | ||
| ## Operating System Support | ||
| This project is currently supported in the following Operating Systems - | ||
| - `macOS` | ||
| - `Linux` | ||
| - `WSL on Windows` | ||
|
|
||
| Windows is not natively supported. | ||
| ## Python Support | ||
| This project is written for **Python 3.6 and above**. | ||
|
|
||
| *Older versions of Python are not supported.* | ||
| ## Prerequisites | ||
| ### AWS IAM Identity Center (SSO) Prerequisites | ||
| - Create a Permission Set in the SSO account which has the permission to perform sts:AssumeRole on any resource (*) | ||
| - Go to IAM Roles in the SSO account and retrieve the Role ARN of the newly created Permission Set | ||
| - Attach the Permission Set to the required Users/Groups | ||
| - Go to the destination account and create a new IAM Role where the trusted entity is the Role ARN retrieved in the previous step | ||
| - Attach the requisite permissions that you wish for the user to access in the destination account | ||
|
|
||
| ### Software Prerequisites | ||
| - macOS, Linux or WSL on Windows OS | ||
| - [Python 3.6 or above](https://www.python.org/downloads/) | ||
| - [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) | ||
| ## Installation | ||
|
|
||
| - `pip3 install ck-sso-cli` | ||
| - Execute `ck-sso-cli help` to check if the tool is installed correctly | ||
| - If you get an error saying `Command ck-sso-cli not found` then add the Python packages installation folder to the Path environment variable. | ||
| - For Linux, it would be `/home/{username}/.local/bin` | ||
|
|
||
| - For macOS, it would be `/Users/{username}/Library/Python/{Python Version}/bin` | ||
|
|
||
| - To make sure that you don't have to do this everytime, modify your `~/.bashrc` to add the Python Packages folder to the Path | ||
|
|
||
|
|
||
| - Execute `ck-sso-cli configure` and follow the steps to configure your IAM Identity Center profile OR | ||
| - Configure ck-sso-cli via the `~/.ck-sso-cli/config.json` file with the following parameters: | ||
| ``` | ||
| { | ||
| "default": { | ||
| "sso_start_url": "https://d-xxxxxx.awsapps.com/start/", | ||
| "sso_region": "us-east-1", | ||
| "sso_account_id": "4xxxxxxxxx8", | ||
| "sso_role_name": "AssumeRole_AdminAccess", | ||
| "region": "us-east-1", | ||
| "output": "json", | ||
| "destination_role_arn": "arn:aws:iam::2xxxxxxxxx4:role/SSO_CLI_AdminAccess", | ||
| "email_id": "[email protected]" | ||
| } | ||
| } | ||
| ``` | ||
| - Named profiles can also be created by executing `ck-sso-cli configure --profile my_profile` | ||
| - Named profiles can be directly created in the `~/.ck-sso-cli/config.json` by creating a separate section | ||
| ``` | ||
| { | ||
| "myprofile": { | ||
| "sso_start_url": "https://d-yyyyy.awsapps.com/start/", | ||
| "sso_region": "us-east-1", | ||
| "sso_account_id": "4xxxxxxxxx8", | ||
| "sso_role_name": "AssumeRole_AdminAccess", | ||
| "region": "us-east-1", | ||
| "output": "json", | ||
| "destination_role_arn": "arn:aws:iam::2xxxxxxxxx4:role/SSO_CLI_AdminAccess", | ||
| "email_id": "[email protected]" | ||
| }, | ||
| "default": { | ||
| "sso_start_url": "https://d-xxxxxx.awsapps.com/start/", | ||
| "sso_region": "us-east-1", | ||
| "sso_account_id": "4xxxxxxxxx8", | ||
| "sso_role_name": "AssumeRole_ROAccess", | ||
| "region": "us-east-1", | ||
| "output": "json", | ||
| "destination_role_arn": "arn:aws:iam::2yyyyyyyyyy4:role/SSO_CLI_ROAccess", | ||
| "email_id": "[email protected]" | ||
| } | ||
| } | ||
| ``` | ||
| ## About the Parameters | ||
| - `email_id`: Your official email ID that is used for logging into SSO | ||
| - `sso_start_url`: The start URL of the SSO page. This should be in the format of `https://{domain-name}.awsapps.com/start/` | ||
| - `sso_region`: The region where SSO is provisioned. For example, `us-east-1` | ||
| - `sso_account_id`: The AWS account ID where SSO is provisioned | ||
| - `sso_role_name`: The name of the Permission Set that would be used for CLI access | ||
| - `destination_role_arn`: The ARN of the IAM Role created in the destination account which the above Permission Set is allowed to assume | ||
|
|
||
| All the above parameters are mandatory. | ||
|
|
||
| ## Usage | ||
| - Configure ck-sso-cli by running `ck-sso-cli configure` (or `ck-sso-cli configure --profile my_profile`) | ||
| - Once configured, run `ck-sso-cli login` (or `ck-sso-cli login --profile my_profile`) | ||
| - In case of default, the credentials will be written in the `~/.aws/credentials` file under the default section | ||
| - In case of a named profile, the credentials will be writtne in the `~/.aws/credentials` file under the named profile section | ||
| - You can now start using AWS CLI | ||
| # CK-SSO-CLI - Retrieve AWS Credentials when Using External AWS Accounts in IAM Identity Center | ||
| Authenticates a user against AWS IAM Identity Center (SSO) and then retrieves the credentials to update the ~/.aws/credentials file | ||
| ## Operating System Support | ||
| This project is currently supported in the following Operating Systems - | ||
| - `macOS` | ||
| - `Linux` | ||
| - `WSL on Windows` | ||
| - `Windows` | ||
|
|
||
| ## Python Support | ||
| This project is written for **Python 3.6 and above**. | ||
|
|
||
| *Older versions of Python are not supported.* | ||
| ## Prerequisites | ||
| ### AWS IAM Identity Center (SSO) Prerequisites | ||
| - Create a Permission Set in the SSO account which has the permission to perform sts:AssumeRole on any resource (*) | ||
| - Go to IAM Roles in the SSO account and retrieve the Role ARN of the newly created Permission Set | ||
| - Attach the Permission Set to the required Users/Groups | ||
| - Go to the destination account and create a new IAM Role where the trusted entity is the Role ARN retrieved in the previous step | ||
| - Attach the requisite permissions that you wish for the user to access in the destination account | ||
|
|
||
| ### Software Prerequisites | ||
| - macOS, Linux or WSL on Windows OS | ||
| - [Python 3.6 or above](https://www.python.org/downloads/) | ||
| - [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) | ||
| ## Installation | ||
|
|
||
| - `pip3 install ck-sso-cli` | ||
| - Execute `ck-sso-cli help` to check if the tool is installed correctly | ||
| - If you get an error saying `Command ck-sso-cli not found` then add the Python packages installation folder to the Path environment variable. | ||
| - For Linux, it would be `/home/{username}/.local/bin` | ||
|
|
||
| - For macOS, it would be `/Users/{username}/Library/Python/{Python Version}/bin` | ||
|
|
||
| - To make sure that you don't have to do this everytime, modify your `~/.bashrc` to add the Python Packages folder to the Path | ||
|
|
||
|
|
||
| - Execute `ck-sso-cli configure` and follow the steps to configure your IAM Identity Center profile OR | ||
| - Configure ck-sso-cli via the `~/.ck-sso-cli/config.json` file with the following parameters: | ||
| ``` | ||
| { | ||
| "default": { | ||
| "sso_start_url": "https://d-xxxxxx.awsapps.com/start/", | ||
| "sso_region": "us-east-1", | ||
| "sso_account_id": "4xxxxxxxxx8", | ||
| "sso_role_name": "AssumeRole_AdminAccess", | ||
| "region": "us-east-1", | ||
| "output": "json", | ||
| "destination_role_arn": "arn:aws:iam::2xxxxxxxxx4:role/SSO_CLI_AdminAccess", | ||
| "email_id": "[email protected]" | ||
| } | ||
| } | ||
| ``` | ||
| - Named profiles can also be created by executing `ck-sso-cli configure --profile my_profile` | ||
| - Named profiles can be directly created in the `~/.ck-sso-cli/config.json` by creating a separate section | ||
| ``` | ||
| { | ||
| "myprofile": { | ||
| "sso_start_url": "https://d-yyyyy.awsapps.com/start/", | ||
| "sso_region": "us-east-1", | ||
| "sso_account_id": "4xxxxxxxxx8", | ||
| "sso_role_name": "AssumeRole_AdminAccess", | ||
| "region": "us-east-1", | ||
| "output": "json", | ||
| "destination_role_arn": "arn:aws:iam::2xxxxxxxxx4:role/SSO_CLI_AdminAccess", | ||
| "email_id": "[email protected]" | ||
| }, | ||
| "default": { | ||
| "sso_start_url": "https://d-xxxxxx.awsapps.com/start/", | ||
| "sso_region": "us-east-1", | ||
| "sso_account_id": "4xxxxxxxxx8", | ||
| "sso_role_name": "AssumeRole_ROAccess", | ||
| "region": "us-east-1", | ||
| "output": "json", | ||
| "destination_role_arn": "arn:aws:iam::2yyyyyyyyyy4:role/SSO_CLI_ROAccess", | ||
| "email_id": "[email protected]" | ||
| } | ||
| } | ||
| ``` | ||
| ## About the Parameters | ||
| - `email_id`: Your official email ID that is used for logging into SSO | ||
| - `sso_start_url`: The start URL of the SSO page. This should be in the format of `https://{domain-name}.awsapps.com/start/` | ||
| - `sso_region`: The region where SSO is provisioned. For example, `us-east-1` | ||
| - `sso_account_id`: The AWS account ID where SSO is provisioned | ||
| - `sso_role_name`: The name of the Permission Set that would be used for CLI access | ||
| - `destination_role_arn`: The ARN of the IAM Role created in the destination account which the above Permission Set is allowed to assume | ||
|
|
||
| All the above parameters are mandatory. | ||
|
|
||
| ## Usage | ||
| - Configure ck-sso-cli by running `ck-sso-cli configure` (or `ck-sso-cli configure --profile my_profile`) | ||
| - Once configured, run `ck-sso-cli login` (or `ck-sso-cli login --profile my_profile`) | ||
| - In case of default, the credentials will be written in the `~/.aws/credentials` file under the default section | ||
| - In case of a named profile, the credentials will be writtne in the `~/.aws/credentials` file under the named profile section | ||
| - You can now start using AWS CLI | ||
| - Once the credentials expire, run `ck-sso-cli login` (or `ck-sso-cli login --profile my_profile`) again and the credentials would be updated |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,63 +1,67 @@ | ||
| import sys | ||
| import json | ||
| import subprocess | ||
| import os | ||
|
|
||
|
|
||
| def configure_utility(): | ||
| # Retrieving the directory where .ck-sso-cli/ folder is present | ||
| cmd = 'echo $HOME' | ||
| directory = subprocess.run(cmd, shell=True, capture_output=True) | ||
| directory = directory.stdout.decode('utf-8') | ||
| directory = directory.split('\n') | ||
| directory = directory[0] | ||
|
|
||
| # Setting the profile | ||
|
|
||
| profile = 'default' | ||
| if len(sys.argv) == 2: | ||
| print('Using default profile') | ||
| elif len(sys.argv) == 4: | ||
| if sys.argv[2] == '--profile': | ||
| profile = sys.argv[3] | ||
| print(f'Using {profile} profile') | ||
| else: | ||
| print(f'Invalid flag {sys.argv[2]}. Acceptable flag is --profile.') | ||
| exit() | ||
|
|
||
| config = {} | ||
|
|
||
| # Reading existing data from ~/.ck-sso-cli/config.json | ||
| try: | ||
| config_file_read = open(f'{directory}/.ck-sso-cli/config.json', 'r') | ||
| config_file_read.close() | ||
| except: | ||
| os.system('mkdir ~/.ck-sso-cli') | ||
| os.system ('touch ~/.ck-sso-cli/config.json') | ||
|
|
||
| with open(f'{directory}/.ck-sso-cli/config.json', 'r') as config_file_read: | ||
| try: | ||
| config = json.load(config_file_read) | ||
| except: | ||
| pass | ||
|
|
||
| # Writing data to ~/.ck-sso-cli/config.json | ||
| with open(f'{directory}/.ck-sso-cli/config.json', 'w') as config_file_write: | ||
| email_id = input('Enter your Email ID: ') | ||
| sso_start_url = input('Enter the start URL of your SSO:') | ||
| sso_region = input('Enter the region where SSO is provisioned: ') | ||
| sso_account_id = input("Enter the SSO Account ID: ") | ||
| sso_role_name = input("Enter the SSO Assume_Role Name: ") | ||
| destination_role_arn = input("Enter the Role ARN of the destination account which you wish to assume: ") | ||
| region = 'us-east-1' | ||
| output = 'json' | ||
| config[profile]={} | ||
| config[profile]['sso_start_url']=sso_start_url | ||
| config[profile]['sso_region']=sso_region | ||
| config[profile]['sso_account_id']=sso_account_id | ||
| config[profile]['sso_role_name']=sso_role_name | ||
| config[profile]['region']=region | ||
| config[profile]['output']=output | ||
| config[profile]['destination_role_arn']=destination_role_arn | ||
| config[profile]['email_id']=email_id | ||
| json.dump(config,config_file_write) | ||
| import sys | ||
| import json | ||
| import subprocess | ||
| import os | ||
|
|
||
| def configure_utility(): | ||
| # Retrieving the directory where .ck-sso-cli/ folder is present | ||
|
|
||
| if sys.platform.startswith('linux') or sys.platform.startswith('darwin'): | ||
| # Linux or MacOS | ||
| cmd = 'echo $HOME' | ||
| elif sys.platform.startswith('win'): | ||
| # Windows | ||
| cmd = 'echo %USERPROFILE%' | ||
|
|
||
| directory = subprocess.run(cmd, shell=True, capture_output=True) | ||
| directory = directory.stdout.decode('utf-8').strip() | ||
|
|
||
| # Setting the profile | ||
| profile = 'default' | ||
| if len(sys.argv) == 2: | ||
| print('Using default profile') | ||
| elif len(sys.argv) == 4: | ||
| if sys.argv[2] == '--profile': | ||
| profile = sys.argv[3] | ||
| print(f'Using {profile} profile') | ||
| else: | ||
| print(f'Invalid flag {sys.argv[2]}. Acceptable flag is --profile.') | ||
| exit() | ||
|
|
||
| config = {} | ||
|
|
||
| # Reading existing data from ~/.ck-sso-cli/config.json | ||
| try: | ||
| config_file_read = open(os.path.join(directory, '.ck-sso-cli', 'config.json'), 'r') | ||
| config_file_read.close() | ||
| except FileNotFoundError: | ||
| os.makedirs(os.path.join(directory, '.ck-sso-cli'), exist_ok=True) | ||
| with open(os.path.join(directory, '.ck-sso-cli', 'config.json'), 'w') as f: | ||
| f.write("{}") | ||
|
|
||
| with open(os.path.join(directory, '.ck-sso-cli', 'config.json'), 'r') as config_file_read: | ||
| try: | ||
| config = json.load(config_file_read) | ||
| except json.JSONDecodeError: | ||
| pass | ||
|
|
||
| # Writing data to ~/.ck-sso-cli/config.json | ||
| with open(os.path.join(directory, '.ck-sso-cli', 'config.json'), 'w') as config_file_write: | ||
| email_id = input('Enter your Email ID: ') | ||
| sso_start_url = input('Enter the start URL of your SSO:') | ||
| sso_region = input('Enter the region where SSO is provisioned: ') | ||
| sso_account_id = input("Enter the SSO Account ID: ") | ||
| sso_role_name = input("Enter the SSO Assume_Role Name: ") | ||
| destination_role_arn = input("Enter the Role ARN of the destination account which you wish to assume: ") | ||
| region = 'us-east-1' | ||
| output = 'json' | ||
| config[profile] = {} | ||
| config[profile]['sso_start_url'] = sso_start_url | ||
| config[profile]['sso_region'] = sso_region | ||
| config[profile]['sso_account_id'] = sso_account_id | ||
| config[profile]['sso_role_name'] = sso_role_name | ||
| config[profile]['region'] = region | ||
| config[profile]['output'] = output | ||
| config[profile]['destination_role_arn'] = destination_role_arn | ||
| config[profile]['email_id'] = email_id | ||
| json.dump(config, config_file_write) |
Oops, something went wrong.